I have a working, but still mostly unused, Keycloak server that currently provides OIDC logins for a MediaWiki instance and my Nextcloud server. Logins work fine. Both Nextcloud and MediaWiki log into the same realm (with different clients) and share a common login session.
But I want an idle timeout of 14 days, with a maximum session length of 30 days, and that’s not happening. My sessions don’t even last one day. I need some advice, please.
Keycloak 12.0.4 running on Ubuntu 20.04.3
Revoke Refresh Token: Off
SSO Session Idle: 14 Days
SSO Session Max: 30 days
SSO Session Idle Remember Me: 0 Minutes
SSO Session Max Remember Me: 0 Minutes
Offline Session Idle: 14 Days
Offline Session Max Limited: 0 Minutes
Client Session Max: 0 Minutes
Access Token Lifespan: 14 Days
Access Token Lifespan for Implicit Flow: 14 Days
Client login timeout: 1 Minute
Login timeout: 30 Minutes
Login action timeout: 5 Minutes
User-initiated Action Lifespan: 5 Minutes
Default Admin-Initiated Action Lifespan: 15 Minutes
Override User-Initiated Action Lifespan: not set
I recently changed the access token lifespan from a much lower value.
What do you mean by session?
There are multiple layers of sessions.
Access Token Lifespan: 14 Days
↓
This means that the access token will expire in 14 days (Go to https://jwt.io/ , insert your access token and verify the ‘exp’ claim which is an epoch time so just convert it to formatted time and see if it is 14 days as expected)
SSO Session Idle: 14 Days
↓
This means the refresh token will expire after 14 days (just check it as explained above)
SSO Session Max: 30 days
↓
This means that you can keep refreshing for 30 days
(But you have to refresh at least after 14 days, as the sso session idle parameter is configured)
Also you could go to your client configuration, and check out if you have accidentally override those values (it is in the main page of the client setting, somewhere in the end of the page)
I’ll check it out and make sure I’m not overriding anything. Also, I’m using an open-source Nextcloud plugin that looks like it is obtaining a refresh token but not doing anything with it. I even opened an issue on Github asking about it, but I wasn’t sure it was actually broken. I am going to look at the code again, because now I think it might be.
I’m going to do some testing, but I am certain that the problem isn’t my Keycloak config, nor is it the OIDC plugin I’m using for Nextcloud. It is a Nextcloud configuration issue.
In my config.php, I did not set session_lifetime, and it defaults to 60 * 60 * 24 – one day.
My Nextcloud sessions are timing out before my Keycloak sessions do.
I just updated config.php, and I explicitly set session_lifetime to 60 * 60 * 24 * 30.
I am going to bet a million dollars that I’m experiencing the exact same problem with MediaWiki.
Again, I need to do some testing, but I consider the matter closed.
